For the past few months, two Filipino hacking groups, called DarkNet Philippines and FilTech Hackers Philippines, have been not only performing cyber-attacks that repeatedly target Filipino banks, but they have also been involved in Hacktivism campaigns. These different types of campaigns included a wide array of attack types, such as defacement, phishing, malware and more.
These incidents make up hundreds each month, creating not only challenges for the banks’ cyber defence and IT teams, but also for their customers, who may experience drops in availability and service level.
Cyber-attacks against banks are not unusual. In fact, they are very common. In 2019 alone, FraudWatch International monitored over 16,000 attempted attacks against financial institutions, or their clients, using various attack methods. The vast majority of these incidents are loud and detectable and last up to a couple of weeks at most.
It is rare to see a cyber threat actor relentlessly going after the same target over and over without moving on or being stopped, but DarkNet Philippines have been doing just that. They’ve been using their full force since October 2019, although it seems the current COVID-19 pandemic has slowed them down a bit from the beginning of 2020. These repeated attacks are usually run using a quiet cyber-attack carried out by an Advanced Persistent Threat (APT) group.
As the diagram below shows, the average number of attacks against FraudWatch International’s Filipino financial clients grew by a staggering 393% between October 2019 and March 2020, in comparison to the period between January and September 2019.
Most of these attacks are not very sophisticated, but they do succeed in interrupting regular banking activity.
FilTech Hackers Philippines are less active but are constantly looking for their next target. They often piggyback off an international campaign (where they join forces with the notorious Anonymous group, for example), or a local one that fits their cause.
Who is behind these hacker groups?
DarkNet Philippines is more of an ideology than a mere hacker group and has many similarities to the infamous hacking collective ‘Anonymous’. Using a similar modus operandi, they have many hackers taking part in their actions, with most of them changing their phishing kits and attack kits’ folders after joining, a sign that DarkNet Philippines are less of a hierarchical group and more of a hacking collective.
On the flip side, the main goal of FilTech Hackers Philippines appears to be focussed on creating business disruption by defacing websites. Their motivations consist of patriotic undertones, as demonstrated by the fact that some of their logos use the Philippines flag as a backdrop, although in the future, the group’s goals could change to include monetary gains.
It is led by a threat actor dubbed ‘Gr3ySh4DoW’ and is a LulzSec affiliate.
What attacks have the hacking groups performed so far?
In 2019, FraudWatch International’s Security Operations Centre (SOC) monitored a large amount of phishing and malicious domain attacks, performed by Darknet Philippines, against banks in the Philippines. During the latter part of the year, the number of Darknet Philippines attributed attacks on banks per month, multiplied by a factor of 12.44.
Most of these attacks consisted of three stages:
1. Redirection of victim’s traffic, after the victim clicked on a phishing link.
2. Victim lands on a compromised website which redirects the victim again (“middle target”).
3. Victim lands on the destination page, usually a fake bank login page for one of the targeted banks. The redirection, done via the compromised site in the middle, is carried out seamlessly so that the victim is unaware of any redirection. The use of stage two is an obfuscation technique.
The phishing pages cannot be displayed if only the destination URL (stage three) is entered in a browser. For the destination page to properly display, the victim must follow all three attack stages.
Darknet Philippines also had an IP block list and a fake Internal Server Error displayed on the phishing website, to trick those who might view it from outside the Philippines or without the redirect chain. This Geo-restriction ensured that only the group’s designated victims would be affected, indicating that these were extremely organized attacks.
It is very likely that cybercriminals put in the extra effort and deployed these techniques to try to avoid detection from security service providers like FraudWatch International.
A large number of users from the targeted banks are also falling victim to these attacks.
Campaigns performed by FilTech Hackers Philippines were a bit different in nature, mostly centred around Hacktivism. The group participated in the 2019 April Lulz event; an annual three-day international hacking operation launched by LulzSec affiliates all around the world. Alongside FilTech Hackers Philippines, other participating Filipino groups were Pinoy LulzSec and Pinoy ClownSec.
It was claimed that, during 2019’s April Lulz campaign, the details of almost 20,000 Philippine soldiers (personal information, injuries and missions) were exposed. The Philippine army claims the data was actually from an old database that was made public a few months prior.
Another operation by FilTech Hackers Philippines, further strengthening their patriotic undertones, included cyber-attacks against Vietnamese hacking groups in retaliation for hacking into and selling top Filipino users’ Facebook accounts (a cyber confrontation that has been since resolved).
What are the hacking groups trying to achieve?
As we mentioned earlier, Darknet Philippines and FilTech Hackers Philippines have quite different objectives.
Darknet Philippines seem to be more interested in attacking banks and their clients to make a direct or indirect monetary gain. They empty accounts or sell data to other criminal actors on the dark web to achieve this. FilTech Hackers Philippines, on the other hand, are more interested in hacktivism and fighting for what they perceive to be justice. They claim to fight for the Filipino people when they feel Filipinos are targeted.
It is currently unclear whether FilTech Hackers Philippines cooperate with DarkNet Philippines and if so, to what extent.